Note: unless you specify offline_access, your tokens will expire as soon as the user signs out of facebook.

Note: client_secret is not supplied:

[3.5.1. User-Agent Flow] This user-agent flow does not utilize the client secret since the client executables reside on the end user’s computer or device which makes the client secret accessible and exploitable.

secret_type
OPTIONAL. The access token secret type as described by Section 5.3.
If omitted, the authorization server will issue a bearer token
(an access token without a matching secret) as described by Section 5.2.

we have been issued a bearer token.

I think this refers to OAuth 1.0-style authentication using token secret. You’d only need one of those if you were requiring signed requests. This seems to contradict the part above about storing client secret on user agent.

Refreshing tokens

Section 3.5.1 describes that the access token may be delivered with an optional refresh_token fragment. On expiry, this token can be exchanged at the for a new access token. No refresh token is supplied by the Facebook API under User-Agent flow, meaning you’ll have to ask users to sign in again.

Autonomous client flows are used to grant client access to protected resources controlled by the client (i.e. the client is the resource owner). For example, these flows are useful when a service provides both client-specific resources in addition to end user resources.

And more specifially, the Client Credentials Flow is described in section 3.7.1:

The client credentials flow is used when the client acts autonomously without acting on behalf of a separate resource owner. The client secret is assumed to be high-entropy since it is not designed to be memorize by an end user.

Where a client is:

An HTTP client capable of making authenticated requests for protected resources using the OAuth protocol. [This is third-party application that wants to access a resource owner’s Facebook account.]

And a resource owner:

An entity capable of granting access to a protected resource. [This is the user who owns the Facebook account.]

[TBD: So what?]

Tokens, sessions and that

You can see more information about authentication flow by using a bogus redirect_uri, i.e., one that does not match the Connect URL setting in your application, e.g.:

Yeah, if you use their ID it should work, it’s just when you’re accessing using ‘me’ that you’ll get the “QueryParseException”.

Like you pointed out earlier, the access_tokens of facebook’s docs are very different than the ones returned by OAuth. I just can’t figure out if there’s another param we should be passing to get that type of access token, or if it’s just simply a bug at this point.

The results differ in only some cases. If you grant your app extended permissions you should see your email address when you query your user id “https://graph.facebook.com/USERID?access_token=…” If you try the same request without the access token the email address will not appear.

However, I still can’t get some of the other extended permissions to work. The friends query “https://graph.facebook.com/USERID/friends?access_token=…” returns the following error message: “An access token is required to request this resource.”

* Again this is as specified on Facebook’s documentation. The code parameter is the url encoded access token returned from the initial authorize request. It is named ‘code’.

3. From there you read in your key from the response. I url encode the key before making any requests. Additionally, the ‘me’ shown on Facebook’s example should be replaced with the user’s id. The user id can be found in the access key.

An interesting note on getting a validation code. I was dynamically generating the callback based of of the current URI in my application. This came around and bit me because I ended up including the ‘?code=…’ query string in my subsequent request to https://graph.facebook.com/oauth/access_token. Make sure you’re callback doesn’t have any query string parameters. That was my first mistake.

The access token I find in the code parameter looks like: “b82e041b187c0229846xxxxxx-5814xxx|PPEIc1xxxx-H2XNK0LuIixxxx.” The access token value you’ve shown is similar to those used on facebook’s example http://developers.facebook.com/docs/api

Alex, any luck with accessing friends using a user’s uid? Per your previous post here:

“However, I still can’t get some of the other extended permissions to work. The friends query “https://graph.facebook.com/USERID/friends?access_token=…” returns the following error message: “An access token is required to request this resource.””

I can access everything else but friends mysteriously fails. Using “me” doesn’t work and I have a suspicious access token as well.

Everything after a ‘#’ is a fragment. These portions are supposed to be available to the client. I can attest that Apache strips them off. So, while the user-agent flow is the easiest way of getting a token, I have found it entirely unsuitable for a server based implemenation.

I suspect that you aren’t actually authorized. Try the same request without the access_token part and you will probably get the same information that you are seeing. It’s the public information that anyone could see

One this to note here is that the access token, eg. 116122545078207|2.1vGZASUSFMHeMVgQ_9P60Q__.3600.1272535200-500880518|QXlU1XfJR1mMagHLPtaMjJzFZp4. will expire after certain time, based on this: 1272535200 value (correct me if I’m wrong). Does this means users need to repeat the authorization process again each and every time the token expired?

In the new Graph API it does not tell me what kind of application I need to have to get stream_publish to work; but it may be that I’m implicitly asking for permission to the app’s page, which doesn’t work.

When I replace client_id with my own user-id, I get redirected to a login.php which does not function…

What is most frustrating about the whole thing is we’ve successfully installed ‘Networked Blogs’ which publishes freely to our stream, but there seems to be no clear documentation on how to get an application that I control the authorization to publish.

I suspect there is an invisible inner circle here, but my immediate concern is to see that I’m following the spec exactly as they say it should be done. As it stands I’m doing what they ask in the docs but it is failing.

I have seen this complaint on the FB forums, so I thought I would pass it along. I think that some people are trying to authorize as many of the extended permissions that they can (scopes) and are running into the URL limit

Here is what I want to do: provide a ‘login w/ FB’ button, throw to /authorize, get a code, throw to /access_token, get an access_token, and be able to hit https://graph.facebook.com/me for info about the user.

I just can’t seem to get to the last part. If I can’t hit /me, how do I get the ID of the current user and hit that instead?

I am having some weird canvas issues with the graph API that are only affected when i choose FBML over iframe. When i choose FBML and navigate to the page i try to call the authorize method and get this error

I hope to comb through the information here to get Facebooks’s awful API to work properly. The documentation is all over the place, sparse and badly written, has poor examples, and the API is flaky at best. Judging from the amount of posts around the Internets, I rest assured the problem do esnot lie with me.

[…] I had more success with facebook last week. Connecting to twitter and foursquare were faster to do than facebook because facebook uses a different authentication version and its documentation neglects to mention some things. The draft specs for OAuth 2.0 were helpful as were the developers forum and various blogs. […]

[…] Example.php on Github, this is the definitive way of using PHP and JavaScript for Facebook – Ben Biddington’s Facebook Graph API and Getting Access Tokens Great post on almost everything surrounding this issue. – Bugzilla bug report on Cookie issues […]

[…] Example.php on Github, this is the definitive way of using PHP and JavaScript for Facebook – Ben Biddington’s Facebook Graph API and Getting Access Tokens Great post on almost everything surrounding this issue. – Bugzilla bug report on Cookie issues […]